Hi Jim,
SAP Single Sign-On supports several different scenarios, with different infrastructure requirements. If you plan to use Kerberos / SPNEGO to authenticate to the SAP systems, then you do not need any additional server. The user authentication is handled by AD and the SAP systems accept the Kerberos token for single sign-on.
If on the other hand you plan to use the Secure Login Server or the SAP Identity Provider, then you will have to install these as additional server components on some AS Java. However, also in this scenario you do not need to copy user information to the SAP Single Sign-On components. Instead you configure SAP Single Sign-On to validate user credentials against your existing user store, which could be LDAP, ABAP or UME.
Best regards,
Christian